Malvin Lyhttps://malvinly.com
Wed, 06 Sep 2017 07:06:48 +0000enhourly1http://wordpress.com/https://s2.wp.com/i/buttonw-com.pngMalvin Lyhttps://malvinly.com
A different kind of traininghttps://malvinly.com/2017/07/09/a-different-kind-of-training/
https://malvinly.com/2017/07/09/a-different-kind-of-training/#respondSun, 09 Jul 2017 05:09:11 +0000http://malvinly.com/?p=1166]]>Every year, I make an effort to attend at least one software conference. In years past, I attended several conferences around my area such as the Kansas City Developers Conference and St Louis Day of .NET.

I decided to take a break this year and do something different.

This weekend, I drove down to Farmington Missouri to attend the “basics of tactical shooting” course taught by Asymmetric Solutions. What drew me to Asymmetric Solutions was their impressive set of instructors with real world experience. Most, if not all, of their instructors are combat experienced special operations veterans.

I usually go to an indoor range once a week, but all of my shooting thus far have been from a static position using paper targets. I knew I wasn’t well rounded, so I wanted sign up for this course.

I didn’t know what to expect at first because I imagined the course being filled with military-esque characters. But as I arrived at the facility and people started to gather, I was pleasantly surprised to see there were a wide range of people from new shooters to very experienced. I felt like I was somewhere in the middle.

Our group had 14 students (3 women and 12 men) and 1 instructor (Dave). The day started off with dry firing exercises such as drawing from the holster and re-holstering. We moved onto practicing magazine changes and the difference between combat and tactical reloads. As our group became comfortable with handling our weapons, we started incorporating movements into our practice. We learned how to move forward, backwards, turn left/right, and make 180 degree turns.

The afternoon was dedicated to live fire exercises. Our instructor ran us through a variety of exercises on the range that incorporated everything we learned in the morning. We also discussed how to clear any malfunctions that occur during the operation of our weapon. I started off fairly decent when we were firing from a static position. As soon as we started incorporating movements or target discrimination drills, my inexperience started to show. Fortunately, our instructor was quick to explain what I was doing wrong and how to address it. It was a good learning experience for me to hear what I needed to improve on and listen to what the instructor was saying to other students as well. This was also a great opportunity for me to practice firing from my holster since it’s not allowed at the indoor range.

I believe I was the only person in my group that had a weapon with a manual safety. I brought my M&P M2.0 to the class. The majority of the people in my group, including the instructor, had a Glock. I know a lot of people balk at the idea of a manual safety on a pistol, but since my Sig P938 has a manual safety, I wanted to practice with another pistol that has a manual safety as well. It quickly dawned on me how much extra work there is to remember to flick on/off the safety each time I draw and re-holster. I’m fine with that, but it’s something I’ll have to practice to let muscle memory take over.

Some of my important takeaways:

Don’t be a robot. Practice drawing smoother and don’t have sharp robotic moments.

I take too long to sight in my weapon after I draw. I need to start sighting in my weapon as I extend my arms.

Slow down during target discrimination and acquire the next target before taking action.

Practice smoother magazine changes.

Our instructor Dave did an excellent job explaining each concept and technique to us. Most importantly, he explained why they were important in the real world. With so much emphasis placed on safety, there wasn’t a single time during the whole day where I felt unsafe. Trigger discipline, muzzle control, and gun checks were paramount. I believe everyone in our group had a good time.

The only negative thing about the course was the amount of time we spend waiting for our turn during the live fire exercises. Since the class had 14 students and each exercise only had 2-4 active participants at a time, we spend a lot of time watching and waiting for our turn. It was really hot outside this weekend, so standing around in the sun for 8 hours was brutal. I think this is the closest I’ve ever been to getting a sunburn. It would have been better if the class size was smaller or if they split us into two groups during the live fire exercises to allow students more opportunities to practice. However, the course was still worth it.

I am definitely going back to attend their advanced courses in the coming months. Hats off to Asymmetric Solutions and my instructor Dave for providing an excellent training environment.

]]>https://malvinly.com/2017/07/09/a-different-kind-of-training/feed/0nivlamUnderstanding multiple anti-forgery tokens in ASP.NET MVChttps://malvinly.com/2017/06/10/understanding-multiple-anti-forgery-tokens-in-asp-net-mvc/
https://malvinly.com/2017/06/10/understanding-multiple-anti-forgery-tokens-in-asp-net-mvc/#commentsSat, 10 Jun 2017 05:30:33 +0000http://malvinly.com/?p=1151]]>The MVC helper “Html.AntiForgeryToken()” can be used to protect your application against cross-site request forgery (CSRF). This will generate both a hidden field and a cookie that contains matching values that are validated on the server.

Our website utilizes multiple forms on the same view and each form contains an anti-forgery token. However, each call to “Html.AntiForgeryToken()” generates a different value. For example, multiple calls such as:

Looking back at the “GetFormInputElement” method, we can see the code checks for the existence of a token from the cookies collection using the method “GetCookieTokenNoThrow”. Drilling into the code shows it’s not complicated. If it exists, it deserializes into an “AntiForgeryToken”, otherwise it returns null.

So from what we can see, if a token can be deserialized from the request’s cookie collection, it’ll reuse that token instead of generating a new one. If a token doesn’t exist in the cookie collection, it’ll instantiate a new instance of “AntiForgeryToken” and randomly generate a new 16 byte array to represent the token.

Going back to the method “GetFormInputElement”, we can see it calls the method “SaveCookieToken” after generating or reusing the existing token.

After generating the first token and saving it to the cookie collection, all subsequent calls to the helper method “Html.AntiForgeryToken()” will follow the same steps and reuse the existing token from the cookie collection instead of generating a new value. Since it is a session cookie, this means the anti-forgery token’s value is generated only once during a browser session and is reused for all subsequent calls.

So why are the hidden field values different from one another if they are reusing the same token? To answer that, we have to look at the token serializer.

The “Protect” method uses the internal class “AspNetCryptoServiceProvider” to encrypt the token using our specified machineKey in the config. So while the encrypted values may look different, the decrypted values are the same. To test this, we can use the decompiled code from dotPeek to “Unprotect” the encrypted values.

In summary, the verification tokens generated from “Html.AntiForgeryToken()” are all identical within a browser session, regardless how many times we call it. The values appear different because they’re encrypted using our machineKey.

]]>https://malvinly.com/2017/06/10/understanding-multiple-anti-forgery-tokens-in-asp-net-mvc/feed/1nivlamCheck whether a .NET dll is built for Any CPU, x86, or x64https://malvinly.com/2016/11/16/check-whether-a-net-dll-is-built-for-any-cpu-x86-or-x64/
https://malvinly.com/2016/11/16/check-whether-a-net-dll-is-built-for-any-cpu-x86-or-x64/#respondWed, 16 Nov 2016 20:56:27 +0000http://malvinly.com/?p=1141]]>As much as I would like all builds to come from a build server, many times a build comes from a developer’s machine. When I receive a build from another developer’s machine, I need to check if their build is targeting the correct platform.

I can use CorFlags.exe, which is part of the .NET Framework SDK, to find out this information from a dll. Running CorFlags.exe with the file path to the dll will produce the following output:

]]>https://malvinly.com/2016/11/16/check-whether-a-net-dll-is-built-for-any-cpu-x86-or-x64/feed/0nivlamMITM using Chromium Embedded Framework and Fiddlerhttps://malvinly.com/2016/10/04/mitm-using-chromium-embedded-framework-and-fiddler/
https://malvinly.com/2016/10/04/mitm-using-chromium-embedded-framework-and-fiddler/#respondTue, 04 Oct 2016 07:24:31 +0000http://malvinly.com/?p=1133]]>For some background, I use a popular website that shows certain artifacts around my city. When a location is clicked, it’ll show what artifacts are available at that location. The website works by sending an AJAX request to an API when a location is clicked and returns a JSON serialized list of artifacts.

A few weeks ago, I wrote a script to call their API directly. The script contained an infinite loop to call their API every minute and notify me when it found new artifacts. I could run this script when I was sleeping or away from my computer and it would text me the details using Twilio when it found something.

However, the website started cracking down on unsolicited API calls to their service a few days ago. Their first attempt was to generate a unique token each time a user visits their website and that token was included as part of the API call. This was simple to bypass since my script could simply scrap the website for the token.

They wised up pretty quickly. A few days later, they started obfuscating how the token was generated and each API call required a new token. I spent an hour trying to deobfuscate how they generated the token, but I couldn’t figure it out without spending a large amount of time on it.

Fortunately, there’s still a way around it. Chromium Embedded Framework (CEF) allows me to embed a headless browser into my script that is able to execute JavaScript and everything else a normal user would be able to do.

I can load the website using CEF and inject JavaScript into the website to click on links.

Triggering a click event will cause the website to generate a new token and submit an AJAX request to their API. Unfortunately, I couldn’t find any CEF documentation that showed me how to intercept the AJAX response.

Instead of trying to intercept the AJAX response using CEF, I used FiddlerCore to capture the AJAX response. FiddleCore can see all the traffic between CEF and their API.

Instead of calling their API directly, I had to jump through a few hoops to get the data I wanted. Injecting click events into the website through CEF allowed me to automate the API calls without having to decipher the token generation. FiddleCore allowed me to monitor the traffic between CEF and their API.

]]>https://malvinly.com/2016/10/04/mitm-using-chromium-embedded-framework-and-fiddler/feed/0nivlamBack from NSBCon 2015https://malvinly.com/2015/12/10/back-from-nsbcon-2015/
https://malvinly.com/2015/12/10/back-from-nsbcon-2015/#respondFri, 11 Dec 2015 05:48:30 +0000http://malvinly.com/?p=1040]]>I just returned from Dallas having attended NSBCon 2015. Overall, a very positive experience with several informative sessions. It was a good opportunity for me to relax and rejuvenated since I haven’t been feeling very motivated lately.

One of the announcements was ServiceMatrix is being discontinued. I’ve never been a fan of using drag-drop tools for anything outside of user interface development, so the discontinuation will probably save me some stress in the future.

The next release of NServiceBus will utilize asynchronous message handlers, which is unfortunately a breaking change. The session continued with explanations on how to migrate existing codebases and pitfalls to watch out for.

The session on Akka.NET and the actor model peaked my interest. I’ve heard of Akka.NET, but I haven’t investigated any further. Having one of the developers talk about Akka.NET was a good chance to hear what it brings to table. Definitely something I’ll need to look into more.

I especially enjoyed listening to the panel discussions and hearing everyone’s opinion on topics that the audience brought up. It’s always a pleasure to listen to several well known developers in the industry talking about past, present, and future architectures/patterns being used in the wild. The topic around technological fads resonated with me. In my opinion, there are simply too many people that immediately become overzealous about new and shiny patterns or technologies without looking at past mistakes. History repeats itself and too many people ignore that.

There was another great session about things not to do with NServiceBus. While the examples were targeted to NServiceBus, the principle applies to a lot of other things. Too many times, certain software is shoved down everyone’s throat as the end-all solution for everything.

Everything considered, I enjoyed the four days I spent in Dallas. Most of the sessions were very informative and insightful, so I have plenty to think about.

]]>https://malvinly.com/2015/12/10/back-from-nsbcon-2015/feed/0nivlamLogging database and web service calls with PostSharphttps://malvinly.com/2015/11/04/logging-database-and-web-service-calls-with-postsharp/
https://malvinly.com/2015/11/04/logging-database-and-web-service-calls-with-postsharp/#respondWed, 04 Nov 2015 22:42:36 +0000http://malvinly.com/?p=1035]]>We’ve been having some sporadic performance problems with our website. We needed to find out which page or operation was taking too long to complete and exhausting all the worker threads. Unfortunately, due to the size of the codebase and the lack of performance auditing, it was difficult to pinpoint where the problem was occurring.

Only a small portion of the codebase was utilizing dependency injection, so we couldn’t decorate or intercept all dependencies with an auditing class. Fortunately, an IL weaving framework such as PostSharp can help with this situation. This was my first time using PostSharp, but I found it tremendously helpful.

Without modifying the existing code, I want to log the connection string, any parameters, and the amount of time it took to execute this stored procedure. We’ll inherit from OnMethodBoundaryAspect to record information before and after our database call.

Great, now I can see the length of each database call and the parameters without digging through IIS logs hoping to find something to reconstruct the request. In additional to database calls, I want to log any web service requests. As with the database aspect, we can inherit from OnMethodBoundaryAspect to log information before and after the request.

]]>https://malvinly.com/2015/11/04/logging-database-and-web-service-calls-with-postsharp/feed/0nivlamMuting sounds in a Chrome tabhttps://malvinly.com/2015/05/01/muting-sounds-in-a-chrome-tab/
https://malvinly.com/2015/05/01/muting-sounds-in-a-chrome-tab/#respondSat, 02 May 2015 03:03:51 +0000http://malvinly.com/?p=1026]]>Although I still prefer the Firefox’s developer tools for debugging, I have switched to Chrome almost exclusively for my day-to-day browsing.

A while ago, Chrome added an audio icon to indicate which tabs were playing sounds.

While I love this feature, I always wanted a way to manually mute a single tab. Well, there is a way and I can’t believe I never knew about it until now. Just copy and paste the following into Chrome’s address bar and enable the audio mute option:

chrome://flags/#enable-tab-audio-muting

Now I can click on the audio icon and mute a single tab without having to mute my entire computer.

]]>https://malvinly.com/2015/05/01/muting-sounds-in-a-chrome-tab/feed/0nivlamAudio icon in ChromeAudio muted in ChromeEncrypting fileshttps://malvinly.com/2014/10/16/encrypting-files/
https://malvinly.com/2014/10/16/encrypting-files/#respondFri, 17 Oct 2014 04:49:19 +0000http://malvinly.com/?p=992]]>I have several files I need to backup to the cloud. I looked at automated backup solutions like Mozy, CrashPlan, etc…, but they were expensive compared to storage solutions like Amazon S3, Azure Storage, and others. So I figure that I can just encrypt the files myself and upload it to one of those services. I wrote the code below to encrypt my files:

Although the encryption code works, I still need to store the generated initialization vectors (IV) somewhere along with the encrypted files. That’s kind of a hassle. Instead, I can prepend the IV to the encrypted files. When I’m decrypting files, I can read the first 16 bytes and assume that’s the IV.

]]>https://malvinly.com/2014/10/16/encrypting-files/feed/0nivlamExtracting text messages on iPhonehttps://malvinly.com/2014/08/20/extracting-text-messages-on-iphone/
https://malvinly.com/2014/08/20/extracting-text-messages-on-iphone/#commentsWed, 20 Aug 2014 22:26:48 +0000http://malvinly.com/?p=984]]>I bought an iPhone a few years ago and I’m about to switch phones. I didn’t want to lose the history of my text messages, so I wanted a copy of all my text messages.

After manually backing up the phone using iTunes, we can navigate to where the backup is stored locally. In my case, the backup is stored at:

All text messages are stored in a SQLite file named 3d0d7e5fb2ce288813306e4d4636395e047a3d28. There are two tables I’m going to focus on: message and handle. The message table contains your entire history of text messages and various flags to determine whether a message was sent or received, whether the message was read, etc…. The handle table contains a list of phone numbers you’ve messaged and some additional information such as whether they were sent as a text message (SMS) or an iMessage.

Since I just wanted to backup my entire history, I can join these two tables using the following query:

I did have some trouble with the date column in the message table. The date column stores a number like 340475640, which I wrongly assumed was the Epoch time that began on January 1, 1970. Turns out that dates in iOS starts on January 1, 2001. The magic number 978307200 in the query above represents how many seconds there are between these two dates.

Because LINQPad has support for SQLite using the IQ driver, it was easy to use LINQpad to query this database using both SQL and LINQ.

]]>https://malvinly.com/2014/08/20/extracting-text-messages-on-iphone/feed/1nivlamAn organization’s leaderhttps://malvinly.com/2014/07/21/an-organizations-leader/
https://malvinly.com/2014/07/21/an-organizations-leader/#commentsMon, 21 Jul 2014 13:25:33 +0000http://malvinly.com/?p=975]]>I chose the word “organization” very carefully. I did not say pod or company because this goes beyond the scope of the workplace. An organization is a group of people that share a purpose.

In 2013, I met a man that completely changed the way I think about leaders. This man was friendly, but intimidating at the same time. His directions were stern, but everyone followed them without question.

This man led a group of people who were very good at what they did. They participated in an activity that required a lot of teamwork. Each person in this group were already considered extremely strong individuals, but teamwork was the deciding factor for the success of the group.

The way this group operated was much different than anything I’ve experienced and it’s hard to describe how well it worked. The first time I participated, I was completely overwhelmed by how well everything worked while under pressure, just by the singular action of following the leader’s direction. Everyone had immense respect for the leader because he was on the front line along with everyone else. This group moved through obstacles like a rolling ball, everyone stayed close and moved as a single cohesive unit. This was the opposite of divide and conquer. Individual skill contributed to keeping the group as tight as possible, but following the leader’s direction was key.

Does that sound like your cookie cutter leadership article? It probably does. So why was this leader so different than everyone else? His charisma, willingness to stand on the front lines, and long history of success made me trust him completely. I wasn’t close friends with this man. In fact, I rarely spoke to him. In addition to that, the exclusivity of this group allowed me to surround myself with people who were extremely talented.

There’s not really a purpose or message in this blog post. This is just something I needed to get off my chest. I miss being part of a team that was led by that man. Will I ever find a group that operated as well as they did in the professional world? I have my doubts. Granted what we were doing was much different than programming. With all of today’s politics and bureaucratic bullshit, it really shows how inefficient things can get.